[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

2018-02-04 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

fidencio commented:
"""
@simo5, for some reason I couldn't add you as a reviewer, but I'd like to hear 
some feedbacks from you here!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-362998097
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#495][comment] DESKPROFILE: Add checks for user and host category

2018-02-04 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/495
Title: #495: DESKPROFILE: Add checks for user and host category

fidencio commented:
"""
Patch has been updated, thanks for the review.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/495#issuecomment-362997910
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][-Changes requested] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

2018-02-04 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

2018-02-04 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

fidencio commented:
"""
Patch set has been updated and also there's a PR related to the design page of 
this feature: https://pagure.io/SSSD/docs/pull-request/62
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-362997764
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][synchronized] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

2018-02-04 Thread fidencio 
   URL: https://github.com/SSSD/sssd/pull/498
Author: fidencio
 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/498/head:pr498
git checkout pr498
From 2fa70e54298c8de35566d81a5da62f6f9d69e517 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 15:06:37 +0100
Subject: [PATCH 1/5] DESKPROFILE: Soften the umask for the domain's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default umask (0177) is way too strict, not allowing us to create
the domain's dir, which has to have its mode set as 755.

In order to solve this, let's soften the umask to 0022.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 53c433145..f9a867daf 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir(
 char *domain;
 char *domain_dir;
 errno_t ret;
+mode_t old_umask;
 
 tmp_ctx = talloc_new(NULL);
 if (tmp_ctx == NULL) {
@@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
+old_umask = umask(0022);
 ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755,
  getuid(), getgid());
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
   "Failed to create the directory \"%s/%s\" that would be used to "

From 00616f8ec6f3ff763cefe8ba68a277b8d5a88752 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 23:58:14 +0100
Subject: [PATCH 2/5] DESKPROFILE: Fix the permissions and soften the umask for
 user's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The user dir has been created as 0600 and owned by the user. It doesn't
work anymore as CAP_DAC_OVERRIDE has been dropped from our systemd
service upstream.

In order to have it working again, let's change it to 0700 (as the
executable bit is needed for creating a file inside a folder) and soften
the default umask from (0177) to (0077) to be able to create this dir.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index f9a867daf..081171299 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -264,7 +264,9 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
-ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid);
+old_umask = umask(0077);
+ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid);
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to create the directory \"%s/%s/%s\" that would be used "

From c1cb56dcec2ad1b2231dabd7eafcaf5f31f2efb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 22 Jan 2018 11:49:23 +0100
Subject: [PATCH 3/5] DESKPROFILE: Use seteuid()/setegid() to create the
 profile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to create the file, having its owner properly, let's use
seteuid()/setegid() to create when creating the profile, as due to the
drop of the CAP_DAC_OVERRIDE "root" doesn't have access to the folder
where the profile will be created anymore.

By adopting the seteuid()/setegid() solution, calling fchown() in the
profile doesn't make sense, thus it was also removed.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 70 --
 1 file changed, 66 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 081171299..65ed8c01a 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -702,6 +702,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
 const char

[SSSD] [sssd PR#495][-Changes requested] DESKPROFILE: Add checks for user and host category

2018-02-04 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/495
Title: #495: DESKPROFILE: Add checks for user and host category

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#495][synchronized] DESKPROFILE: Add checks for user and host category

2018-02-04 Thread fidencio 
   URL: https://github.com/SSSD/sssd/pull/495
Author: fidencio
 Title: #495: DESKPROFILE: Add checks for user and host category
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/495/head:pr495
git checkout pr495
From 1fa5a0bfba05d43b50ad7f88e421695fab0ab623 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 22 Jan 2018 00:02:43 +0100
Subject: [PATCH] DESKPROFILE: Add checks for user and host category
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

freeipa-deskprofile-plugin can have both user and host category set as
"all" and when it happens, no users and groups or hosts or hostgroups
are going to be set.

Let's treat this expected (but so far missed) situation on SSSD side.

Resolves:
https://pagure.io/SSSD/sssd/issue/3449

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 70 +++---
 1 file changed, 52 insertions(+), 18 deletions(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 53c433145..ffcb5c846 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -684,6 +684,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
 TALLOC_CTX *tmp_ctx;
 const char *rule_name;
 const char *data;
+const char *hostcat;
+const char *usercat;
 char *shortname;
 char *domainname;
 char *base_dn;
@@ -722,6 +724,28 @@ ipa_deskprofile_rules_save_rule_to_disk(
 goto done;
 }
 
+ret = sysdb_attrs_get_string(rule, IPA_HOST_CATEGORY, );
+if (ret == ENOENT) {
+hostcat = NULL;
+} else if (ret != EOK) {
+DEBUG(SSSDBG_TRACE_FUNC,
+  "Failed to get the Desktop Profile Rule host category for rule "
+  "\"%s\" [%d]: %s\n",
+  rule_name, ret, sss_strerror(ret));
+goto done;
+}
+
+ret = sysdb_attrs_get_string(rule, IPA_USER_CATEGORY, );
+if (ret == ENOENT) {
+usercat = NULL;
+} else if (ret != EOK) {
+DEBUG(SSSDBG_TRACE_FUNC,
+  "Failed to get the Desktop Profile Rule user category for rule "
+  "\"%s\" [%d]: %s\n",
+  rule_name, ret, sss_strerror(ret));
+goto done;
+}
+
 rule_prio = talloc_asprintf(tmp_ctx, "%06d", prio);
 if (rule_prio == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate rule priority\n");
@@ -753,26 +777,36 @@ ipa_deskprofile_rules_save_rule_to_disk(
 goto done;
 }
 
-ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
-rule_name, rule_prio,
-base_dn, username,
-_prio, _prio);
-if (ret != EOK) {
-DEBUG(SSSDBG_CRIT_FAILURE,
-  "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
-  ret, sss_strerror(ret));
-goto done;
+if (usercat != NULL && strcasecmp(usercat, "all") == 0) {
+user_prio = talloc_strdup(tmp_ctx, rule_prio);
+group_prio = talloc_strdup(tmp_ctx, rule_prio);
+} else {
+ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
+rule_name, rule_prio,
+base_dn, username,
+_prio, _prio);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
+  ret, sss_strerror(ret));
+goto done;
+}
 }
 
-ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
-rule_name, rule_prio,
-base_dn, hostname,
-_prio, _prio);
-if (ret != EOK) {
-DEBUG(SSSDBG_CRIT_FAILURE,
-  "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
-  ret, sss_strerror(ret));
-goto done;
+if (hostcat != NULL && strcasecmp(hostcat, "all") == 0) {
+host_prio = talloc_strdup(tmp_ctx, rule_prio);
+hostgroup_prio = talloc_strdup(tmp_ctx, rule_prio);
+} else {
+ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
+rule_name, rule_prio,
+base_dn, hostname,
+_prio, _prio);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
+

[SSSD] [sssd PR#495][+Changes requested] DESKPROFILE: Add checks for user and host category

2018-02-04 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/495
Title: #495: DESKPROFILE: Add checks for user and host category

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org